Since 2024, multiple zero-day vulnerabilities in the Windows Common Log File System (CLFS) driver have been exploited by ransomware groups like RansomEXX and Play (Balloonfly). These Elevation of Privilege (EoP) flaws enabled SYSTEM-level access and were used in real-world attacks before patches were released.
Microsoft issued fixes across several Patch Tuesdays (Dec 2024–May 2025) for CVEs like CVE-2024-49138, CVE-2025-29824, and CVE-2025-32706, but many were already exploited in the wild.
Full technical breakdown, IOCs & detection tips in the report.
Do you want to know more about the Extended Threat Intelligence & Hunting Service?
Flamur Ramiqi
Team Lead & Senior Threat Intelligence Analyst and Detection Engineer